Block local openVPN connections
-
I noticed that several collegues don’t disconnect their openVPN client (lazy guys!) when they arrive at the office. Therefore the traffic to local servers is unnecessarily routed through the pfsense, because the TAP Adapter has the highest priority in windows.
My old router (IPCOP) did block local VPN connection by default.I’ve tried to create a firewall rule to block local access, but it didn’t work:
WAN Rule
Action: Block
Interface: WAN
TCP/IP Version: Ipv4
Protocol: UDP
Source: LAN net
Destination: WAN address
Destination Port range: 1195 (our VPN port)What am I doing wrong?
Best,
Daniel -
I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
So replace the source address in your rule with the outbound NAT address to block these connections. -
Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.
-
@kpa:
because the traffic is arriving to the WAN interface from the "inside" and not from the internet.
Thanks for correction. I haven't considered.
-
I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
So replace the source address in your rule with the outbound NAT address to block these connections.I assume the "outbound NAT address" is equal to the "WAN address"?
@kpa:
Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.
I tried (directly below the "Anti-Lockout rule"):
Action: Block
Interface: LAN
TCP/IP Version: Ipv4
Protocol: UDP
Source: WAN address
Destination: WAN address
Destination Port range: 1195 (our VPN port)and also
Action: Block
Interface: LAN
TCP/IP Version: Ipv4
Protocol: UDP
Source: LAN net
Destination: WAN address
Destination Port range: 1195 (our VPN port)But the clients are still able to connect to the openVPN Server within the LAN.
Any ideas?
-
Just for reference: After updating to v2.2.2 I was able to block local openVPN access with the same rules described in previous post. Therefore it seems to be an issue of the 2.1 release.
Problem solved.
-
Sorry for bumping such an old topic, but it's very relevant.
I can't understand why your method didn't work for me, as it makes perfect sense. It's even weirder that what I came up with did work. After firewall rules failed to achieve the desired result, I tinkered elsewhere. Here is a NAT Port Forward rule that achieved the same goal.
Interface: LAN
Protocol: UDP
Source: Any (this is default)
Source Port: Any (this is default)
Destination: WAN address
Destination port range: 1196 (our VPN port)
Redirect target IP: Random private IP address that is NOT part of your LAN network. I used 192.168.1.254, but our LAN network is 192.168.21.0 / 24
Redirect target port: I just chose a random port. 45534I was surprised that it even let me create this rule, but doing so made it so people who are connected to the LAN can no longer connect to the OpenVPN server while people connecting to the VPN from outside the office are unaffected.
-